Navy seeks new software tool able to predict insider threat risks

By Michael Peck

Aug 31, 2017

The Navy wants to stop a crime before it happens. Or more specifically, it wants to know which insiders are likely to steal Navy data so it can stop them before the theft.

"Recent experiences indicate identifying an insider threat is generally after the fact, thus circumventing the Navy’s ability to prevent or mitigate the situation before it happens," notes a new Navy Small Business Innovation Research solicitation, titled "Cybersecurity Insider Threat Validity and Risk Analysis."

So, the Navy is searching for an automated software tool that can combine multiple data sources to assess the likelihood of an individual committing data theft. The software would create a potential risk indicator, or PRI, for users by utilizing information from network, cyber, User Access Monitoring, security logs, SySlogs, Host Based Security Systems, packet capture and other sources.

"The PRI is an action, event, or condition that precedes the insider act and is hypothesized to be associated with the act," the Navy said. "As a part of analysis and PRI, the technology must be able to integrate, evaluate and interpret knowledge and information from the identified data sources to determine if analyst action is required."

The software's capabilities should include the ability to process categorize large amounts of data. It should also extrapolate that data "to provide realistic and validated information to individual behavioral profiles for users across different domains with different login credentials. This includes observable precursory events/activities of an insider (i.e., turning on services/protocol or redirecting Domain Name Server (DNS) zone transfer) that contributes to increased risk."

The software should also assign risk scores for various events, such as a user making a failed access attempt. Phase I of the project involves creating a conceptual framework and demonstrating a limited capability. Phase II requires a full prototype.